How would transitive dependencies be handled? EU CRA is trying to mandate certif... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

transpute 77 days ago | parent | context | favorite | on: Open source projects could sell SBOM fragments

How would transitive dependencies be handled?

EU CRA is trying to mandate certification of some dependencies, which may result in fees going to 3rd-party certifying orgs, rather than OSS projects.

In theory, customers with budget for improving their OSS supply chain could configure an OSS micropayment allocator to parse a graph of dependent:

  • SBOMs
  • roadmaps
  • requirements
  • bug reports
  • test reports 
  • compliance rules

then distribute funds based on performance metrics defined by each customer. That could move SBOMs from cost center to revenue/operations center, without centralization.

LF OpenSSF 2024 report covers centralized efforts to improve OSS supply chains, https://openssf.org/download-the-2024-openssf-annual-report/

rlupi 77 days ago [–]

> How would transitive dependencies be handled?

Have a SBOM format whose license requires truthful reporting (or the license is null and defaults to open source), then trust only those SBOM formats with this property.

Taleb's minority law will do the rest. Pretty soom, most SBOM formats will adopt this rule.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact